Researchers have concluded that the WPA2 Wi-Fi protocol is vulnerable to attacks and the protocol has a severe weakness which lets hackers within the range of vulnerable device or access point to intercept passwords, e-mails, and other data and in some cases inject malware content into the website the person is visiting.
The new content vulnerability is called KRACK, short for Key Reinstallation Attacks. This research was closely guarded for weeks before the official announcement which was made yesterday and the KRACK website which discloses the vulnerabilities that affect the core WPA2 protocol itself. It is effective against devices running Android, Linux, OpenBSD, and to some extent of Mac and Windows OS and MediaTek Linksys as well. The site explains that attackers can exploit the flaw to decrypt sensitive data that’s usually encrypted by the WiFi protocol.
Vanhoef demos the KRACK attack with a video where he demonstrates the attack against a device running Google’s Android mobile operating system. The attack forces the phone to install an all-zero encryption key, rather than the real key and this even works on Linux based devices. Furthermore, the sites state that using HTTPS protected Web pages doesn’t necessarily mean a remedy against the weakness as many improperly configured websites can be forced into dropping HTTPS.
Responding to the WPA2 protocol attack, Microsoft said that it has already fixed for customers running supported versions of Windows. While on the other hand, Google is yet to address the issue and said that “an update is on its way in the coming weeks.” Google-owned Pixel phones will be the first to receive the security update with security patch level of November 6, 2017. But most other Android phones are far behind the latest updates.
With Google out of the way, Apple has also confirmed that it is committed to rolling out a fix addressing the WPA2 WiFi problem in the coming weeks for iOS, tvOS, watchOS, macOS betas. So, that means Apple isn’t in the clear just yet. However, the time Machine, AirPort Extreme base station, and AirPort Express do not have a patch available, and it is not clear if the patch is in progress.